Current technologies for generation of API-function call logs during program execution require intervention in the contents of the address space of the processes or files on the hard drive disk, such as changing the code in system libraries of the operating system in memory and on disk. Such changes include the “introduction of a code” responsible for the mechanism of logging of API-function calls. The main steps of this mechanism may be as follows:
interception of library management (for example, by intercepting API functions by changing the code of the destination function);
transition during API call to the region of memory containing the handler code responsible for processing API functions and logging calls;
execution of the code of the handler of the logging system;
return of control over the library.
To capture the control over the logging system, there can also be used methods for changing the addresses of API function calls from the libraries in the import table of the executable file and/or placement of an “intermediate” library, to which the initial call is directed before transition to the originally called API-function from the original library.
One drawback of existing logging systems is that it is difficult to implement this logging system on different operating systems and their versions. For example, an update of an OS may cause the logging system to stops working and may require modifications to work with the updated OS. Another drawback is that presence of a logging system can be detected by malicious programs, regardless of their privileges, as virtually any “intrusion” into the address space of a process can be detected by malicious programs.
Accordingly, there is a need to improve mechanisms for logging of API function calls.